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ABSTRACT 


LOPA (Layer of Protection Analysis) is a simplified risk assessment tool that is uniquely useful 
for determining how “strong” the design should be for a SIF (Safety Instrumented Function — 
“interlock”). LOPA is a semi-quantitative tool that can estimate the required PFD (probability of 
failure on demand) for a SIF. It is readily applied after the Process Hazard Analysis (PHA) - for 
example, HAZOP - and before Fault Tree Analysis/Quantitative Risk Assessment. In most cases, 
the SIF Safety Integrity Level requirements can be determined by LOPA without using the more 
time-consuming tools of Fault Tree Analysis/Quantitative Risk Assessment. The tool is self- 
documenting. 


INTRODUCTION 


In the 1990s, companies and industry groups developed standards to design, build, and maintain 
Safety Instrumented Systems (SIS) (1, 2, 3). A key input for the tools and techniques required to 
implement these standards was the required Probability of Failure on Demand (PFD) for each 
Safety Instrumented Function (SIF). Process Hazard Analysis (PHA) teams and project teams 
struggled to determine the required Safety Integrity Level (SIL) for the SIFs (“interlocks”) (4). 
The concept of layers of protection and an approach to analyze the number of layers needed was 
first published by the Center for Chemical Process Safety (CCPS) in the 1993 book Guidelines 
for Safe Automation of Chemical Processes (1). From those concepts, several companies 
developed internal procedures for Layer of Protection Analysis (LOPA) (5), and, in 2001 CCPS 
published a book describing LOPA (6). This paper briefly describes the LOPA process, and 
discusses experience in implementing the technique. 


WHAT IS LOPA? 


LOPA is a semi-quantitative risk analysis technique that is applied following a qualitative hazard 
identification tool such as HAZOP. We describe LOPA as semi-quantitative because the 
technique does use numbers and generate a numerical risk estimate. However, the numbers are 
selected to conservatively estimate failure probability, usually to an order of magnitude level of 
accuracy, rather than to closely represent the actual performance of specific equipment and 
devices. The result is intended to be conservative (overestimating the risk), and is usually 
adequate to understand the required SIL for the SIFs. If a more complete understanding of the 
risk is required, more rigorous quantitative techniques such as fault tree analysis or quantitative 
risk analysis may be required. 
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LOPA starts with an undesired consequence — usually, an event with environmental, health, 
safety, business, or economic impact. The general format of a LOPA table is shown in Table 1. 


Table 1: General Format of LOPA Table 


Consequence Initiating Initiating Preventive Independent Protection Layers Mitigation Mitigated 
& Severity Event Event Probability of Failure on Demand (PFD) Independent Consequence 
(Cause) Challenge Protection Frequency 
Frequency Layers 


lyr. Process BPCS Operator SIF (PFD) lyr. 
Design (DCS) Response (PLC 
to Alarms relay) 


The severity of the consequence is estimated using appropriate techniques, which may range 
from simple “look up” tables to sophisticated consequence modeling software tools. One or more 
initiating events (causes) may lead to the consequence; each cause-consequence pair is called a 
scenario. LOPA focuses on one scenario at time. The frequency of the initiating event is 
estimated (usually from look-up tables or historical data). Each identified safeguard is evaluated 
for two key characteristics: 
e Is the safeguard effective in preventing the scenario from reaching the consequence? 
e AND, is the safeguard independent of the initiating event and the other IPLs 
(Independent Protection Layers)? 
If the safeguard meets BOTH of these tests, it is an IPL. LOPA estimates the likelihood of the 
undesired consequence by multiplying the frequency of the initiating event by the product of the 
PFDs for the applicable IPLs using Equation 1 (6). 


J 
fE =f) x| [ PED, 
j=l 


=f) x PFD, x PFD, x...x PFD, 
Where f. = frequency for consequence C for initiating event i 
f‘ = initiating event frequency for initiating event i 
PFD, = probability of failure on demand of the jth IPL that protects against consequence 


C for initiating event i. 


Typical initiating event frequencies, and IPL PFDs are given by Dowell (4, 5, 7) and CCPS (6). 
Figure 1 illustrates the concept of LOPA — that each IPL acts as a barrier to reduce the frequency 
of the consequence. Figure | also shows how LOPA compares to event tree analysis. A LOPA 
analysis describes a single path through an event tree, as shown by the heavy line in Figure 1. 


The result of the LOPA is a risk measure for the scenario — an estimate of the likelihood AND 
consequence. This estimate can be considered a “mitigated consequence frequency” — the 
frequency is mitigated by the independent layers of protection. The risk estimate can be 
compared to company criteria for tolerable risk for that particular consequence severity. If 
additional risk reduction is needed, more IPLs must be added to the design. Another option 
might be to redesign the process — perhaps considering inherently safer design alternatives (8, 9). 


(1) 
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IPLs are not successful 


Figure 1: Comparison between LOPA and event tree analysis 
[Copyright ©2001, AIChE, reproduced by permission] 


Frequently, the IPLs include SIFs. One product of the LOPA analysis is the required PFD of the 
SIF, thus defining the required SIL for that SIF. With the SIL defined, ANSVISA 84.01-1996 
(2), IEC 61508 (3), and, when finalized, draft IEC 61511 (11) should be used to design, build, 
commission, operate, test, maintain, and decommission the SIF. 


IMPLEMENTING LOPA 


Some important considerations and experience in implementing LOPA are discussed by Dowell 
(11), and these are summarized briefly below. A greatly expanded discussion of these points can 
be found in the original reference. 


Team Makeup — Some organizations conduct LOPA as a part of the PHA review, 
using the PHA team. This can be efficient because the team is familiar with the 
scenario and decisions can be recorded as part of the PHA recommendations. This 
approach works best when the risk tolerance criteria are applied to each scenario 
individually. Other companies have found it to be more efficient to capture the list of 
potential LOPA scenarios during the PHA, for later evaluation by a smaller team 
(perhaps just a process engineer and a person skilled in LOPA). The LOPA team may 
then report back to the PHA team on the results of their evaluation. Either approach 
may be used successfully. The important factor is that the process knowledge is 
incorporated in the LOPA and that the LOPA methodology is applied correctly and 
consistently. 


One Cause — One Consequence = One Scenario. It is critical that each LOPA 
scenario have only one cause and one consequence. Users may be tempted to 
combine causes that lead to the same consequence to save time in the analysis and 
documentation. Unfortunately, each IPL may not protect against each initiating event. 
For example, a SIF that blocks the feed flow into a reactor protects against high 
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pressure from the feed streams, but this SIF does not protect against high pressure 
caused by internal reaction. It is important each candidate IPL be evaluated for its 
effectiveness against a single initiating event leading to a single consequence. 


e Understanding what constitutes an IPL. An IPL is a device, system, or action that 
is capable of preventing a scenario from proceeding to its undesired consequence 
independent of the initiating event or the action of any other layer of protection 
associated with the scenario. The effectiveness and independence of an IPL must be 
auditable. All IPLs are safeguards, but not all safeguards are IPLs. Each safeguard 
identified for a scenario must be tested for conformance with this definition. The 
following keywords may be helpful in evaluating an IPL: 

o The “three Ds” help determine if a candidate is an IPL: 

= Detect — Most IPLs detect or sense a condition in the scenario. 

= Decide — Many IPLs make a decision to take action or not. 

= Deflect — All IPLs deflect the undesired consequence by preventing it. 
o The “four Enoughs” help evaluate the effectiveness of a candidate IPL: 

= Big Enough? 

"= Fast Enough? 


= Strong Enough? 
= Smart Enough? 


o The “Big I’ — Remember that the IPL must be independent of the initiating event 
and all other IPLs. 


e Understanding Independence. A critical issue for LOPA is determining whether 
IPLs are independent from the initiating event and from each other. The LOPA 
methodology is based on the assumption of independence. If there are common mode 
failures among the initiating event and IPLs, the LOPA will underestimate the risk for 
the scenario. Dowell (11) and CCPS (6) discuss how to ensure independence, and 
provide several useful examples. 


e Procedures and Inspections. Procedures and inspections cannot be counted as IPLs. 
They do not have the ability to detect the initiating event, cannot make a decision to 
take action, and cannot take action to prevent the consequence. Inspections and tests 
of the IPL do not count as another IPL. They do affect the PFD of the IPL. 


e Mitigating IPLs. An IPL may prevent the consequence identified in the scenario, 
but, through its proper functioning, it may generate another less severe, but still 
undesirable, consequence. A rupture disk on a vessel is an example. It prevents 
overpressurization of the vessel (although not 100% of the time — the rupture disk 
does have a PFD). However, the proper operation of the rupture disk results in a loss 
of containment from the vessel to the environment or a containment or treatment 
system. This best way do deal with this situation is to create another LOPA scenario 
to estimate the frequency of the release through the rupture disk, its consequence, and 
then determine if it meets the risk tolerance criteria. 
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Beyond LOPA. Some scenarios or groups of scenarios are too complex for LOPA. A 

more detailed risk assessment tool such as event tree analysis, fault tree analysis, or 

quantitative risk analysis is needed. Some examples where this might be true include: 

o A system that has shared components between the initiating event and candidate 
IPLs, and no cost effective way of providing independence. This system violates 
the LOPA requirement for independence between initiating event and IPLs. 

o A large complex system with many LOPA scenarios, or a variety of different 
consequences impacting different populations. This system may be more 
effectively analyzed and understood using quantitative risk analysis. 


Risk Criteria. Implementation of LOPA is easier if an organization has defined risk 
tolerance criteria. It is very difficult to make risk based decisions without these 
criteria, which are used to decide if the frequency of the mitigated consequence (with 
the IPLs in place) is low enough. CCPS (6) provides guidance and references on how 
to develop and use risk criteria. 


Consistency. When an organization implements LOPA, it is important to establish 
tools, including aids like look-up tables for consequence severity, initiating event 
frequency, and PFD for standard IPLs. The calculation tools must be documented, 
and users trained. All LOPA practitioners in an organization must use the same rules 
in the same way to ensure consistent results (6). 


CONCLUSION 


Process safety engineers and SIL assignment teams from many companies have concluded that 
LOPA is an effective tool for SIL assignment. LOPA requires fewer resources and is faster than 
fault tree analysis or quantitative risk assessment. If more detailed analysis is needed, the LOPA 
scenarios and candidate IPLs provide an excellent starting point. 


LOPA has the following advantages: 

Focuses on severe consequences 

Considers all the identified initiating causes, 

Encourages system perspective 

Confirms which IPLs are effective for which initiating causes 


Allocates risk reduction resources efficiently 


Provides clarity in the reasoning process, 

Documents everything that was considered, 

Improves consistency of SIL assignment 

Offers a rational basis for managing IPLs in an operating plant 
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NOMENCLATURE 


AIChE American Institute of Chemical Engineers 
BPCS Basic Process Control System 

CCPS Center for Chemical Process Safety 

DCS Distributed Control System 

HAZOP Hazard and Operability Analysis 


IEC International Electrotechnical Commission 

IPLs Independent Protection Layer 

ISA The Instrumentation, Systems, and Automation Society 
LOPA Layer of Protection Analysis 

PFD Probability of Failure on Demand 

PHA Process Hazard Analysis 

PLC Programmable Logic Controller 

SIF Safety Instrumented Function 

SIL Safety Integrity Level 

SIS Safety Instrumented System 


